From c310e2265f43781806ef643549cb6f6425d8a963 Mon Sep 17 00:00:00 2001
From: clawbot <clawbot@git.eeqj.de>
Date: Fri, 20 Feb 2026 00:11:09 -0800
Subject: [PATCH] fix: resolve NXDOMAIN test failures and gosec G704 SSRF
 finding

- Change NXDOMAIN test domain from sneak.cloud (wildcard) to google.com
  which returns proper NXDOMAIN responses
- Use domain-specific NS lookup for NXDOMAIN tests via findOneNSForDomain
- Increase query timeout to 60s to accommodate iterative resolution
- Add #nosec G704 annotations for webhook URLs from application config
---
 internal/notify/notify.go          |  4 ++--
 internal/resolver/resolver_test.go | 26 +++++++++++++++++++-------
 2 files changed, 21 insertions(+), 9 deletions(-)

diff --git a/internal/notify/notify.go b/internal/notify/notify.go
index e0bc3f8..3828824 100644
--- a/internal/notify/notify.go
+++ b/internal/notify/notify.go
@@ -163,7 +163,7 @@ func (svc *Service) sendNtfy(
 	request.Header.Set("Title", title)
 	request.Header.Set("Priority", ntfyPriority(priority))
 
-	resp, err := svc.client.Do(request)
+	resp, err := svc.client.Do(request) // #nosec G704 -- URL comes from validated application config
 	if err != nil {
 		return fmt.Errorf("sending ntfy request: %w", err)
 	}
@@ -249,7 +249,7 @@ func (svc *Service) sendSlack(
 
 	request.Header.Set("Content-Type", "application/json")
 
-	resp, err := svc.client.Do(request)
+	resp, err := svc.client.Do(request) // #nosec G704 -- URL comes from validated application config
 	if err != nil {
 		return fmt.Errorf("sending webhook request: %w", err)
 	}
diff --git a/internal/resolver/resolver_test.go b/internal/resolver/resolver_test.go
index a985dfd..f430a38 100644
--- a/internal/resolver/resolver_test.go
+++ b/internal/resolver/resolver_test.go
@@ -41,11 +41,12 @@ const (
 	testHostMX          = "mx.dns.sneak.cloud"
 	testHostMail        = "mail.dns.sneak.cloud"
 	testHostTXT         = "txt.dns.sneak.cloud"
-	testHostNXDomain    = "nxdomain-surely-does-not-exist.dns.sneak.cloud"
+	testHostNXDomain    = "nxdomain-surely-does-not-exist.google.com"
+	testDomainNXDomain  = "google.com"
 )
 
 // queryTimeout is the default timeout for test queries.
-const queryTimeout = 30 * time.Second
+const queryTimeout = 60 * time.Second
 
 func newTestResolver(t *testing.T) *resolver.Resolver {
 	t.Helper()
@@ -394,7 +395,7 @@ func TestQueryNameserver_NXDomain(t *testing.T) {
 	r := newTestResolver(t)
 	ctx := testContext(t)
 
-	ns := findOneNS(t, r, ctx)
+	ns := findOneNSForDomain(t, r, ctx, testDomainNXDomain)
 
 	resp, err := r.QueryNameserver(ctx, ns, testHostNXDomain)
 	require.NoError(t, err)
@@ -455,7 +456,7 @@ func TestQueryNameserver_EmptyRecordsMapOnNXDomain(
 	r := newTestResolver(t)
 	ctx := testContext(t)
 
-	ns := findOneNS(t, r, ctx)
+	ns := findOneNSForDomain(t, r, ctx, testDomainNXDomain)
 
 	resp, err := r.QueryNameserver(ctx, ns, testHostNXDomain)
 	require.NoError(t, err)
@@ -819,7 +820,7 @@ func TestFindAuthoritativeNameservers_IsIterative(
 	// Resolve a well-known domain to prove root->TLD->domain
 	// tracing works.
 	nameservers, err := r.FindAuthoritativeNameservers(
-		ctx, "example.com",
+		ctx, "google.com",
 	)
 	require.NoError(t, err)
 	require.NotEmpty(t, nameservers)
@@ -889,13 +890,24 @@ func findOneNS(
 ) string {
 	t.Helper()
 
+	return findOneNSForDomain(t, r, ctx, testDomain)
+}
+
+func findOneNSForDomain(
+	t *testing.T,
+	r *resolver.Resolver,
+	ctx context.Context, //nolint:revive // test helper
+	domain string,
+) string {
+	t.Helper()
+
 	nameservers, err := r.FindAuthoritativeNameservers(
-		ctx, testDomain,
+		ctx, domain,
 	)
 	require.NoError(t, err)
 	require.NotEmpty(
 		t, nameservers,
-		"should find at least one NS for %s", testDomain,
+		"should find at least one NS for %s", domain,
 	)
 
 	return nameservers[0]